support different algorithms and improve feedback

author: Wouter Tinus <win.acme.simple@gmail.com> 2020-07-12 11:57:52 +0200
committer: Wouter Tinus <win.acme.simple@gmail.com> 2020-07-12 11:57:52 +0200
commit: 383d6f03c81677358a6a8bce92a45bb50d4a2487 (patch)
tree: 2debb3e954994e911a82982759230f043d377180
parent: 90f3ccf8f02b1a8068f55630e4233fe580b422bb (diff)
download: letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.zip
letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.tar.gz
letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.tar.bz2
3 files changed, 39 insertions, 9 deletions
diff --git a/src/ACMESharpCore b/src/ACMESharpCore
-Subproject bd6f0bbc0b0e1cb17303324a2a0b4c657a045ed
+Subproject 10ed9ffc9141d7d8e4ca207db4b3c924fad1bb1
diff --git a/src/main.lib/Clients/Acme/AcmeClient.cs b/src/main.lib/Clients/Acme/AcmeClient.cs
index 6536887..ca01ec2 100644
--- a/src/main.lib/Clients/Acme/AcmeClient.cs
+++ b/src/main.lib/Clients/Acme/AcmeClient.cs
@@ -75,7 +75,7 @@ namespace PKISharp.WACS.Clients.Acme
         {
             _log.Verbose("Loading ACME account signer...");
             var accountSigner = AccountSigner;
-            IJwsTool? signer;
+            IJwsTool? signer = null;
             if (accountSigner != null)
             {
                 signer = accountSigner.JwsTool();
@@ -180,7 +180,6 @@ namespace PKISharp.WACS.Clients.Acme
             }
             else
             {
-                var contacts = await GetContacts();
                 try 
                 {
                     var (_, filename, content) = await client.GetTermsOfServiceAsync();
@@ -196,20 +195,31 @@ namespace PKISharp.WACS.Clients.Acme
                 {
                     _log.Error(ex, "Error getting terms of service");
                 }
-
+                var contacts = default(string[]);
                 var externalAccount = default(ExternalAccountBinding);
-                if (await _input.PromptYesNo("Use external account binding?", true))
+
+                if (client.Directory?.Meta?.ExternalAccountRequired == "true")
                 {
+                    _input.CreateSpace();
+                    _input.Show(null, "This ACME server requires an external account binding, meaning that you will need to register " +
+                        "an account with the service provider prior to setting up this program. The service provider should provide " +
+                        "the answers to the following questions");
                     var kid = await _input.RequestString("Key identifier");
-                    var key = await _input.ReadPassword("Key");
+                    var key = await _input.ReadPassword("HMAC key");
+                    var alg = await _input.ChooseRequired("HMAC algorithm", new[] { "HS256", "HS384", "HS512" }, x => Choice.Create(x, @default: x == "HS256"));
                     if (key != null && kid != null)
                     {
                         externalAccount = new ExternalAccountBinding(
+                            alg,
                             JsonConvert.SerializeObject(client.Signer.ExportJwk(), Formatting.None), 
                             kid, 
                             key, 
                             client.Directory.NewAccount);
                     }
+                } 
+                else
+                {
+                    contacts = await GetContacts();
                 }
 
                 try
diff --git a/src/main.lib/Clients/Acme/ExternalAccountBinding.cs b/src/main.lib/Clients/Acme/ExternalAccountBinding.cs
index 64282ee..999d4e9 100644
--- a/src/main.lib/Clients/Acme/ExternalAccountBinding.cs
+++ b/src/main.lib/Clients/Acme/ExternalAccountBinding.cs
@@ -1,5 +1,6 @@
 using ACMESharp.Crypto;
 using ACMESharp.Crypto.JOSE;
+using System;
 using System.Collections.Generic;
 using System.Security.Cryptography;
 
@@ -8,12 +9,14 @@ namespace PKISharp.WACS.Clients.Acme
     class ExternalAccountBinding
     {
         public string AccountKey { get; set; }
+        public string Algorithm { get; set; }
         public string Key { get; set; }
         public string KeyIdentifier { get; set; }
         public string Url { get; set; }
 
-        public ExternalAccountBinding(string accountKey, string keyIdentifier, string key, string url)
+        public ExternalAccountBinding(string algorithm, string accountKey, string keyIdentifier, string key, string url)
         {
+            Algorithm = algorithm;
             AccountKey = accountKey;
             KeyIdentifier = keyIdentifier;
             Url = url;
@@ -24,7 +27,7 @@ namespace PKISharp.WACS.Clients.Acme
         {
             var protectedHeader = new Dictionary<string, object>
             {
-                ["alg"] = "HS256",
+                ["alg"] = Algorithm,
                 ["kid"] = KeyIdentifier,
                 ["url"] = Url
             };
@@ -34,8 +37,25 @@ namespace PKISharp.WACS.Clients.Acme
         public byte[] Sign(byte[] input)
         {
             var keyBytes = CryptoHelper.Base64.UrlDecode(Key);
-            using var hmac = new HMACSHA256(keyBytes);
-            return hmac.ComputeHash(input);
+            switch (Algorithm)
+            {
+                case "HS256":
+                    {
+                        using var hmac = new HMACSHA256(keyBytes);
+                        return hmac.ComputeHash(input);
+                    }
+                case "HS384":
+                    {
+                        using var hmac = new HMACSHA384(keyBytes);
+                        return hmac.ComputeHash(input);
+                    }
+                case "HS512":
+                    {
+                        using var hmac = new HMACSHA512(keyBytes);
+                        return hmac.ComputeHash(input);
+                    }
+            }
+            throw new InvalidOperationException();
         }
     }
 }
author	Wouter Tinus <win.acme.simple@gmail.com>	2020-07-12 11:57:52 +0200
committer	Wouter Tinus <win.acme.simple@gmail.com>	2020-07-12 11:57:52 +0200
commit	383d6f03c81677358a6a8bce92a45bb50d4a2487 (patch)
tree	2debb3e954994e911a82982759230f043d377180
parent	90f3ccf8f02b1a8068f55630e4233fe580b422bb (diff)
download	letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.zip letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.tar.gz letsencrypt-win-simple-383d6f03c81677358a6a8bce92a45bb50d4a2487.tar.bz2